SECURITY REPORT - About Keysight
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
TABLE OF CONTENTS 01 02 03 Introduction The Ixia Application Top 5 Security Threat and Threat Intelligence Insights from 2018 Page 3 Research Center Page 9 Page 6 04 05 Security Watch List Conclusion for 2019 Page 31 Page 27 2 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
SECTION 01 INTRODUCTION Welcome to the third annual Security Report issued by Ixia, a Keysight business. Each year, the Ixia Application and Threat Intelligence (ATI) Research Center summarizes the most interesting and prominent internet security trends. We analyze ATI data to help organizations understand where they can improve. We also analyze the data to predict the biggest hotspots for the coming year. In all our work, we aspire to help cybersecurity professionals strengthen their security posture by sharing knowledge of active exploits, new and old. 3 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
The Top 5 Security Issues from 2018 • Poor or lacking product security exposed businesses to additional risk • The human attack vector, via Phishing and Malware, remained reliable • Poor cyber hygiene continued to persist year after year • The good intention of sharing product vulnerability information actually led to more attacks • Crypto mining/jacking continued without abatement 4 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Key Observations In 2018, we observed many successful attacks based on historic A vulnerabilities. Legacy attacks dating back to as far as 2009 remained effective. Hackers successfully compromised systems when the systems were unpatched, or because no patch was available for a legacy system. Widespread availability of exploit software that targets well-known vulnerabilities also contributed to the phenomenon. Bad security hygiene, in the form of default login and password credentials, also contributed to the problem. B Public cloud architectures created a second vector for new security attacks. Both home-grown and commercial software packages exhibited vulnerabilities. We categorize these into two basic groups: code vulnerabilities and configuration vulnerabilities. Misconfigured security and access policies were a major source of data breach in 2018. Beneath the threats observed lies an unavoidable truth: C Network and application complexity pose serious security threats. Complexity continues to grow within enterprise and service provider IT environments. This growing complexity is creating new security vulnerabilities every day. Thwarting security attacks starts with a continuous commitment to security best practices. Tools augment your ability to mitigate threats, but only security best practices can prevent them. 5 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
SECTION 02 THE IXIA APPLICATION AND THREAT INTELLIGENCE RESEARCH CENTER Ixia’s strategy starts with an elite team of dedicated cybersecurity professionals that form the Ixia ATI Research Center. This globally distributed team works around the world and around the clock from locations like Singapore, California, Texas, Massachusetts, France, Romania, and India. They monitor and analyze the ever-evolving indicators that could threaten the security of IT networks. The team distills that knowledge into research and rule sets. We incorporate these insights into Ixia solutions to maximize your ability to detect and combat the latest threats. 6 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
The ATI team also contributes to the larger security In many cases, the team can go from discovery community. The Ixia ATI team shares what it learns to an Ixia product update within a 24-hour period. with vendors that have been hacked, private agencies Input to the research process comes from (e.g., www.mitre.org), government agencies (e.g., many sources: NIST and DARPA), and at global security conferences • International exploit databases such as Black Hat and RSA. Ixia also promotes a summer security school in Bucharest, Romania, to • The Dark Web help train new security engineers. • Scan of security news alerts and crowdsourcing The ATI team assesses and validates products that are meant to secure the enterprise. The team serves as a • Twitter handles of other security researchers front line of defense, monitoring internet-connected • Partner feeds products and analyzing observed behavior to discover exploitable weaknesses in any vendors’ product. • Honeypots actively looking for attacks in the wild Security alerts and incidents happen all hours of the • Independent research (testing and reverse day and night, so the team takes a follow-the-sun engineering) by the ATI team approach. Dozens of engineers combine to form a single global team that can create and disseminate the latest security intelligence. 7 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Members of the team constantly poll multiple Ixia’s ATI threat intelligence feed incorporates data sources to get insights into vulnerabilities. They in a way no other provider offers. While others in the normalize, correlate, and organize the data to get a industry create automated intelligence platforms clear direction on the threats and how to prioritize or open source feeds, those solutions are generally them. Team members then investigate the threats tailored to provide insights related to specific and either validate or dismiss them. They research products in a vendor’s portfolio. For example, a feed everything to make sure that the threat detection and from Microsoft may focus on vulnerabilities related prevention content deployed in our products is 100 to products and threats relative to the Microsoft percent correct. This deep research also gives them portfolio. Ixia threat feeds look at the internet on the utmost confidence in our data and predictions. a global scale, and provide actionable intelligence based on internet-wide telemetry. The BreakingPoint company established the ATI team in 2005. Ixia acquired BreakingPoint in 2012. The ATI intelligence takes the form of a “rap sheet.” A rap BreakingPoint solution is a security attack and traffic sheet captures threat intelligence via a proprietary generator that network equipment manufacturers, database of known bad actors or offenders. The service providers, governments, and enterprises database is constantly updated, providing real-time use to validate network and security resiliency while actionable threat intelligence. The team validates under load and attacks. Generating traffic using blacklisted sites continuously, updating the database threats based on real-world research is just one to ensure new threats are tracked and false positives way that Ixia and Keysight help harden solutions for are removed. Automated rap sheets provide updates applications as diverse as automotive and Internet of as often as every five minutes, delivering the data in Things (IoT) solutions. real time to Ixia visibility solutions. The ATI team serves as the guard to security guardians - challenging others in the industry to improve their product security, and constantly monitoring to spot issues before they become epidemics. Ixia is committed to making it as hard as possible for hackers to succeed. 8 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
SECTION 03 TOP 5 SECURITY THREAT INSIGHTS FROM 2018 2018 included a mixture of exploits, including some new, as well as many which we had seen before often modified to incorporate more known, unpatched vulnerabilities. 9 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
From the attacks observed, we can draw five major conclusions about the state of security threats in 2018: 1. Software security cause the majority of product vulnerabilities 2. Humans are the 5. Crypto-jacking weakest link: We activity reached new click lots of avoidable peaks in 2018: This phishing and malware threat continues to links grow 4. Security vulnerability 3. Cyber hygiene disclosures are a is at an all-time double-edged sword: low: Vendors and Both hackers and IT need to clean vendors benefit up their act 10 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
1. Software Security Flaws Cause the Majority of Product Vulnerabilities Software security flaws contributed to a record number of security incidents in 2018. We saw more new devices than ever before, but we also saw more devices designed and deployed without proper measures to stop, or even limit, threats. This was especially true for web applications, where bad actors succeeded by exploiting well-understood SQL injection and cross-site scripting vulnerabilities. The use of these two web attack vectors covers the full range of attack delivery, from common spam attacks to automated remote exploitation – the act of taking control of vulnerable servers on a global scale. Zero-day exploits gave hackers an advantage over IT security teams, who struggled to stay ahead of constant vulnerability disclosures. Some open source organizations attempted to proactively mitigate vulnerabilities by standardizing security controls and measures inside commonly used web development frameworks. However, code fragmentation makes it difficult for these central improvements to address the widespread problem. 11 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Code sharing carries other risks, too. For example, a recent study 1 examined code fragments on the popular coding site Stack Overflow. The study found that many Stack Overflow answers contain security vulnerabilities. Developers need to ensure they validate all code for common security design flaws. To solve this problem, web developers and system architects must be educated on security best practices. Until developers embrace software design best practices, attackers will continue to exploit these vectors, sometimes at scale and with substantial consequences, as in the case of Equifax. Recent examples of exploits that resulted from poor software security practices included: • Android debugging • Apache Struts • Cisco Smart Install As Gabriel Cirlig explained in a 2018 blog post 2 , numerous Android devices have debugging that is either turned on by default or enabled by unaware users. This leads to thousands of devices with their root access exposed on the internet. The Trinity malware took advantage of this product weakness and deployed crypto miners into many of these devices. 1. https://laurent22.github.io/so-injections 2. https://www.ixiacom.com/company/blog/trinity-p2p- malware-over-adb 12 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
But how long can software vulnerabilities follow you? Figure 1 provides insight to this question. The Trinity malware exposed the Android root vulnerability in the summer of 2018, yet attacker interest continued months later, with Ixia honeypots seeing thousands of attempted attacks daily in December 2018. The Apache Struts product security weaknesses (CVE- 2018-11776) also continued to plague the internet. The vulnerabilities are similar to those observed in 2017, which resulted in the highly publicized Equifax hack that exposed sensitive data of 143 million people.1 These vulnerabilities put thousands of web applications at risk. Bad actors exploited these weaknesses, using Cryptojacking scripts to infect servers and compromise devices, infecting the devices with crypto mining malware. 1. https://www.bugcrowd.com/threat-report-apache-struts- cve-2018-11776/ But how long can software vulnerabilities follow you? 14,000 8,000 2,000 DECEMBER 1-31, 2018 Figure 1. Trinity malware uptick in December 2018 13 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
4,000 3,000 2,000 1,000 0 APRIL - DECEMBER, 2018 Figure 2. Cisco Smart Install attack attempts in December 2018 Cisco devices were also targets of this type of exploit in 2018. Cisco’s Smart Install feature, designed to provide simple configuration of new devices inside a network, provided the attack vector. Nearly two years earlier, researchers documented the security vulnerability and observed an exploit tool known as SIET1 in the wild. In 2018, new vulnerabilities in devices supporting the protocol revived interest in the exploit. Ixia honeypots started seeing thousands of daily exploit attempts after details of a new vulnerability came out, as shown in Figure 2. 1. https://github.com/Sab0tag3d/SIET Recommendation 1: Buyers should research the common vulnerabilities database and confirm fixes with vendors before deploying new hardware or software upgrades. The CVE database can help customers gauge the security track record and response time of a vendor. 14 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
2. Humans are the Weakest Link Many recently documented compromises (such as the In 2018, Ixia systems detected 662,618 phishing John Podesta/U.S. Democratic National Committee pages in the wild, and 8,546,295 pages hosting or 1 hack ) started with a phishing attempt. As any infected by malware. Clearly, exposure reaches far security researcher can confirm, a well-crafted and beyond organizations with weak perimeter security. well-timed phishing attempt can confuse even the A successful attack on your infrastructure requires most tech-savvy expert into making a mistake that only a single errant click on an email or hypertext leads to a network compromise. An attacker can use call-to-action. While many infected pages that house the results of a successful phishing attack to execute these attacks are taken down in hours or days, some an attack and drop malware on the target’s system. malware samples live online for years on abandoned Once deployed, the attacker can attempt to move websites. One good example is a web page that toward systems of higher value inside the network. serves an old version of the Cerber ransomware. Ixia first detected it on November 21, 2017, yet it is still Security against the human vector requires a online today. Even though this particular attacker is combination of the following: no longer active, the legacy of the malware lives on, • Educating users about the risks that exist in the wild infecting anyone that receives a recycled link. • Detecting and blocking phishing and malware that try to pass the network edge • Blocking endpoint infection attempts if a phishing attack succeeds • Detecting and blocking lateral movement when the previous techniques have failed 1. https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a Recommendation 2: Humans make mistakes. Even the most highly trained people can fall prey to phishing attacks. Technological aids or reminders can help reduce the probability of an attack. For example, an email program that highlights when an incoming email looks like potential spam or phishing, or when it is from an external entity, enables you to pay attention and carefully scrutinize the URLs contained in the email. Also, tools such as password managers enable computers to reinforce security and reduce incidents caused by human error. 15 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
3. Cyber Hygiene is at an All-time Low IT product vendors created code or configurations that caused many successful security breaches in 2018, but IT operations and security personnel also shared the blame. Well-known attacks and attack vectors remain successful because security personnel did not address architecture vulnerabilities and apply patches. This oversight is primarily due to two factors: ignorance of the latest patches, and challenges deploying frequent patches in a timely manner. Both factors leave businesses vulnerable. Many successful breaches in 2018 did not involve new versions of malware or attack methods – existing exploits targeting unpatched vulnerabilities proved to be very effective again in 2018. Here are some examples of this type of exploit: • Persistent brute forcing (public facing systems that can be brute forced) • EternalBlue (disclosed in 2017) • Dahua digital video recorders (a 5-year-old vulnerability) • CVE-2009-4140, a web application vulnerability from 2009 16 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Brute-force attacks have not let up in their 20th There are multiple solutions to help prevent brute- year on the internet, and only continue to grow in force attacks: popularity as devices proliferate. A remote brute- • Utilizing public/private keys for remote force attack involves repeatedly guessing common administration of servers usernames and passwords. This type of attack • Two-factor authentication for remote often targets an administrative console for a web administration application, a remote desktop session, or a listening service (like Secure Shell or Telnet). These services • One-time-use factory-shipped passwords for exist on nearly every type of device, from the largest embedded devices (IoT) assets in the world to millions of small embedded • Disabling remote access until enabled by the devices found everywhere. IoT endpoints in particular user with a custom password had many vulnerabilities in this category. Hackers most frequently attacked Telnet and SSH with brute-force attacks. IoT-targeting botnets (such as Mirai and its clones) prefer to target these two protocols. However, as the graph below shows, any service employing default or weak credentials is at risk. Telnet-Brute-force SSH-Brute-force MySQL/MSSQL Brute-force Generic PHP Application Login Bruteforce SMTP Authentication Bruteforce VNC Bruteforce Others Figure 3. Top brute-force attacks in 2018 17 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Another well-known attack that continues to Mirai and other botnets continue to scan for proliferate is EternalBlue (CVE-2017-0144). The vulnerabilities that are more than 5 years old, such infamous WannaCry malware leveraged EternalBlue as Dahua DVRs and video cameras. Many victims in May 2017. Despite EternalBlue’s age, it continued do not even realize they are affected. Ixia began to gain momentum in 2018. This vulnerability only tracking Mirai-based bots soon after they started impacts hosts running Windows 7 or previous spreading. Ixia solutions identify the command and editions. Bad actors heavily scanned for vulnerable control anomalies, as well as the bots themselves, systems throughout 2018; the number of scanning based on packet attributes. attempts for this vulnerability was three times greater in December 2018 than in January 2018. See the Ixia data in Figure 4. 5M 4M 3M 2M 1M 0 JANUARY - DECEMBER, 2018 Figure 4. EternalBlue scanning attempts by bad actors in 2018 One victim was a laundromat company. The botnet would compromise the company’s internet-connected security cameras, adding them to the botnet. The cameras would livestream footage of whatever they pointed at. As the exploit continued, the traffic would overload system resources. Once this happened, the cameras would stop working. The owner would reboot the cameras, and they would return to factory defaults. The cameras would behave normally for a few days, and then the cycle would repeat. The owners were unaware that the equipment kept failing because of product security design defects. Instead, they assumed they had purchased a cheap product with poor reliability. 18 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
While a laundromat might seem innocuous, the Figure 5 shows one example of how hackers are still key point is that the IoT device threat is real. trying to exploit older vulnerabilities in Dahua DVRs. These devices could be cameras, in-home routers, Equipment that should have been patched or removed televisions, or millions of other things. Security from the internet remains in place without remediation. patching requires ongoing investment from both the vendor and the device owner. If left unpatched, attackers will discover and exploit these design flaws. 1600 1400 1200 1000 800 600 400 200 0 August 2018 September 2018 October 2018 November 2018 December 2018 Figure 5. Attackers still target Dahua DVR (CVE-2013-6117) exploit from 2013 19 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Additional research shows that many hackers The CVE-2009-4140 vulnerability allows complete are simply opportunists. They try to find as access to a system. Remote authenticated users many vulnerable older systems as they can. One can execute arbitrary code by uploading a file to the example is CVE-2009-4140, which demonstrates system. Activity targeting this old vulnerability for that opportunists will look through the archive of web applications reappeared in Ixia honeypots in vulnerabilities to try to find exploitable systems 2018, as shown in Figure 6. running ancient software on the internet. Old equipment may still be in use or redeployed as a backup. Older software is less likely to receive patch updates or intrusion-detection and -prevention signatures for security threats, increasing risk for organizations that deploy it. 500 400 300 200 100 0 JANUARY - DECEMBER, 2018 Figure 6. CVE-2009-4140 exploitation continues Recommedation 3: Keep your business secure by reviewing public exploit websites (like www.mitre.org) to see a list of common vulnerabilities and apply the recommended patches and architectural fixes. 20 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
4. Security Vulnerability Disclosures are a Double-edged Sword Vulnerability reporting helps vendors and consumers identify security flaws. When security engineers find a zero-day vulnerability, security threat, or other exploit, sharing information quickly is a common practice, so that vendors can fix their code and IT teams can secure their networks. But vulnerability reporting also informs hackers, who often can move faster than vendors or enterprise IT. Ixia has observed more successful security attacks following the disclosure of new vulnerabilities. Here are examples of exploits where hackers were able to move faster than vendors and IT teams: • Mirai • Drupalgeddon • D-Link DSL-2750B remote code execution vulnerability 21 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Mirai, the botnet that hit the internet in 2016, originally used brute force to target embedded devices listening on Telnet. Mirai source code was released to open source communities, spawning many copycat versions that use brute-force SSH attacks and incorporate multiple other embedded device vulnerabilities to increase the rate of compromise. Mirai derivatives remain high on the list of active botnets on the Internet and remain a persistent and evolving threat to embedded Linux systems. Figure 7 illustrates the ongoing risk from this attack. 50M 40M 30M 20M 10M 0 JANUARY - DECEMBER, 2018 Figure 7. Mirai resurgence in late 2018 22 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Drupalgeddon, originally referred to as CVE-2014-3704, is a SQL injection vulnerability that targets the Drupal web framework. Last year, researchers uncovered and responsibly disclosed similarly dangerous flaws that they dubbed Drupalgeddon 2 and 3. Drupalgeddon 2 (CVE-2018-7600) was responsibly disclosed. The researcher warned the development team, giving the team time to create and issue a patch before the exploit details became public. After private notification, the researcher released information necessary to exploit each vulnerability on April 12 and April 25, 2018, respectively. As shown in Figure 8, exploit attempts quickly followed. Interest in these two vulnerabilities then waned, mainly because the fast patching process quickly reduced the number of available targets. 1600 1400 1200 1000 800 600 400 200 0 April 1, 2018 April 15 April 29 May 13 May 27 Figure 8. Drupalgeddon 2 and 3 attack waves start in April 4500 4000 3500 3000 2500 2000 1500 1000 500 0 January 2018 March May July September November Figure 9. Drupalgeddon 2 and 3 attacks wane after May 2018 23 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 January 2018 March May July Septmber Septmber Figure 10. D-Link DSL-2750B exploit On May 25, 2018, a new tool emerged that exploited a vulnerability in D-Link DSL-2750B routers. Attackers quickly seized the new tool and attempted to exploit the vulnerability. Interest peaked in August and September when newer versions of Mirai clones attempted to exploit this vulnerability. Recommedation 4: Disclosing vulnerability and exploit information in closed communities can reduce risk and slow hackers down, giving application developers and enterprises an opportunity to patch defects before hackers create tools to exploit the vulnerabilities in the wild. 24 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
5. Crypto-jacking Activity Reached New Peaks in 2018 Ixia predicted the rise of crypto-miners in its 2017 annual security report. Not only did this trend emerge, but hackers combined multiple classic attacks to deliver nearly autonomous malware, capable of spreading internally and building massive shadow networks dedicated to crypto mining. Ixia honeypots captured several new exploits that run an EternalBlue scan and, when successful, deposit a crypto miner onto the network. The meteoric rise of cryptocurrency value in 2018 drove a new form of compute resource monetization. Classic malware tried to find something of value on a compromised system, often ransoming the data. With crypto-mining, the compromised system itself provides value through the mining of cryptocurrencies. It is easier for bad actors to mine for cryptocurrency than to ransom or steal something else of value. Detection poses little risk to the hacker using an anonymous cryptocurrency. This low-risk, high-reward environment means that ransomware is no longer the exploit of choice. Instead, many new exploits now focus on automating the installation and distribution of miner malware to as many hosts as possible. 25 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Cloud misconfigurations caused many data breaches in 2018. In many cases, organizations stored personally identifiable information (PII) in the clear in Amazon S3 databases. Plain-text storage, combined with human errors that exposed the database to hackers, caused many costly data breaches in 2018. While human error causes some of these incidents, others clearly stem from a lack of understanding of security best practices. Cloud security teams could benefit from working more closely with their on- premises IT security teams, leveraging best practices learned from years of on-premises IT application deployments. Cloud technology works differently, but that is no excuse for breach of PII. Your choice of technology platform will not reduce the fine levied for breach of personally identifiable data. Recommedation 5: Adding network visibility helps you see when someone or something is mining cryptocurrencies, so you can curb such activities. 26 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
SECTION 04 SECURITY WATCH LIST FOR 2019 Based upon Ixia-collected data and historical activity, the Ixia ATI team predicts the following six trends for 2019: • Abuse of low-value endpoints will escalate • Brute-force attacks on public-facing systems and resources will increase • Cloud architectures create complexity that increases attack surfaces • Phishing will continue to evolve. As more companies begin using similar enterprise email systems (Office 365, G Suite), better phishes will help hackers get around defenses • Multiphase attacks that use lateral movement and internal traffic will increase • Crypto mining/cryptojacking attacks will increase 27 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Trend 1: Trend 2: Abuse of Low-value Brute-force Attacks on Endpoints will Escalate Public-facing Systems and Resources Will Increase Until basic security hygiene improves, hacks like Mirai This attack vector has existed for close to 20 years. and cryptojacking will continue unabated. With more While solutions exist to eliminate this attack vector, we devices connecting to the internet every day, the continue to see the same mistakes made repeatedly number of targets continues to increase — and so will by vendors and IT practitioners. It appears there the number of victims. will always be a server out there with the username “root” and the password “password” that a hacker can exploit. Individuals can prevent attacks on their systems by changing default credentials, but only adoption of two-factor and public/private key authentication will provide a permanent solution. Brute-force exploits will also increase significantly for enterprises and carriers with the proliferation of IoT devices. Many forget, or do not understand, that these devices ship with default credentials. In addition, the devices are actively broadcasting — so they can connect to an internet router and relay data. Attackers can exploit this mechanism to connect to the IoT device and take it over. 28 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Trend 3: Trend 4: Cloud Architectures Create Phishing Attacks Will Become Complexity That Increases More Focused During the Next Attack Surfaces Two Years On-premises architectures gave security personnel Enterprises invest thousands to train employees to complete control of their equipment and architecture. recognize phishing attacks. In response, hackers Public cloud-based solutions give no control over create better phishes that are less obvious to server and network architecture. Attacks like victims, and more targeted. Growing Office 365 Spectre (CVE-2017-5753) and CVE-2019-6260 and Google G Suite adoption will help slow down are just the beginning of the new types of attacks phishing momentum. Both tools provide some aimed at cloud users and their data. The speed phishing indicators. However, well planned attempts and dynamic capabilities of public clouds have will get past these newer defenses. Hackers will unfortunately exposed a new attack vector: service relentlessly attack any system that provides a larger misconfiguration. Misconfigured services provide potential payoff. an open gate that hackers and bad actors can walk through, often with disastrous results. 29 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Trend 5: Trend 6: Multiphase Attacks That Use Crypto Mining and Lateral Movement and Internal Cryptojacking Attacks Traffic Will Increase will Increase Malware dwell times can exceed 100 days. Malware For decades, hackers sought to compromise systems, often goes undetected because command and steal data, and more recently ransom computers. A control traffic is sporadic, hidden like a needle in a shift has occurred, where new attacks target the haystack and disguised to look like normal HTTPS systems themselves. Rather than stealing data at traffic. Many organizations only monitor at ingress rest, attacker use compromised systems for crypto and egress points in their network. As attacks grow mining. Old unpatched vulnerabilities previously more sophisticated, we expect detection times will used for ransomware or DDoS networks are easily continue to grow longer. We also expect attackers exploited to deliver crypto mining software. to utilize more LAN-to-LAN attacks, hoping to avoid Advanced crypto miners do not depend on classic detection by abusing the trust of internal traffic. command and control architectures, making Micro-segmentation can increase visibility, helping them harder to detect and prevent fluctuating detect and catch lateral movements. cryptocurrency values may slow the growth of mining networks, but mining will continue to offer financially attractive incentives to hackers looking to make some quick money. 30 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
SECTION 05 CONCLUSION In 2018, we observed important shifts in the threat landscape. We observed new malware variants, and new versions of well- known legacy exploits. We observed many security breaches due to misconfiguration errors, and we saw this trend extend further into cloud-hosted software and services. Cloud services offer nearly instant access to a wide variety of scalable platforms and services, but with that speed comes a rapidly expanding attack surface, and more opportunities for human error. 31 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Network complexity continues to rise and attack IT teams can make many improvements to enhance complexity mirrors the network landscape. Some their security architecture. We recommend that you attacks die off, while others are reborn as new variants implement these activities now: year to year. The ever-changing landscape requires • Perform a security patch analysis versus your vigilance and quick responses from your security team. security control protections Our research also uncovered data that indicates that • Analyze your public cloud security architecture, the following six items will pose the most threat to and audit application access policies enterprises over the coming one to two years. We • Review password security practices for your IT suggest that you review your security architecture for systems and equipment the following threats: 1. Abuse of low value endpoints will increase Our research shows that basic security hygiene this year practices could prevent or minimize the impact of many breaches. Security teams that ignore these practices 2. Brute force attacks will increase on your public are more likely to suffer a breach. facing assets Patch analysis may sound boring, but too often, a 3. Cloud networks are increasing complexity, which single engineer is responsible for patch maintenance is increasing attack surfaces of an application or piece of equipment. If that 4. Phishing attacks will become more focused over engineer leaves the company, responsibility for the next two years patch maintenance may fall through the cracks. Our 5. Multiphase attacks that use lateral movements data shows that in many cases, year-old unpatched and internal traffic will increase vulnerabilities allowed exploits to happen. 6. Crypto mining attacks will increase If you have vulnerable systems that you cannot immediately patch, do you know whether your security controls will protect you? 32 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Another basic hygiene practice is default password security. IT professionals should remove factory default or well-known passwords before devices are deployed. This mitigates nearly all brute-force attacks and exploits. Brute-force attacks continue to work, because IT continues to deploy equipment with default passwords. Eliminating these passwords would eliminate this attack vector. Cloud architectures continue to grow in popularity. However, security personnel are often not involved in all aspects of cloud implementations. Enterprises learned long ago that stateful inspection firewalls and logs were insufficient to protect against application level attacks, but many cloud providers offer these features as standard defenses. Additional lines of defense are crucial to protect applications in the cloud. 33 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
As noted earlier, the number of data breach incidents rose in 2018, with more incidents attributed to misconfigured cloud applications and resources. Some common cloud security mistakes include failure to encrypt personally identifiable data, incorrect data access permissions, and unpatched code creating vulnerabilities in the application stack. Cloud technology works differently, but data breach laws and fines don’t discriminate. We here at Ixia, and the ATI team, understand these complexities and are here to help you safely navigate the ever evolving cyber world. 34 INTRODUCTION RESEARCH CENTER THREAT INSIGHTS SECURITY WATCH CONCLUSION 2019 Ixia Security Report
Ixia can help you secure your network, data, and applications. To learn how network packet brokers and taps can augment your security infrastructure to give you the visibility you need to act fast — ask for a demo, and we would be happy to show you what is possible. Contact us at ixiacom.com Find us at www.ixiacom.com 915-9331-01-4091 Rev A I © Keysight Technologies, 2019
You can also read